Reply To: firewall doesn’t work – whats wrong with my config ?

Home Page Forums Network Management Firewall, Traffic Shaping and Net Balancer firewall doesn’t work – whats wrong with my config ? Reply To: firewall doesn’t work – whats wrong with my config ?

#53610

redfive
Participant

Input(1) and output(2) chains refer to traffic destinated(1) and generated(2) to/by the firewall itself, if you want to deny the traffic forwarding among interfaces, you have to work on Forward chain (even though few rules on input chain are still necessary for security reasons).
A simple example, assuming you want to allow traffic from lan behind ZS (ETH01) to everything beyond ZS (so, the web as well as the network between ZS and the web).
input chain (default policy DROP)

1 	ETH00 	* 	ACCEPT all opt -- in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
2 ETH01 * ACCEPT all opt -- in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

forward chain (default policy DROP)

1 	ETH00 	ETH01 	ACCEPT all opt -- in ETH00 out ETH01 0.0.0.0/0 -> 192.168.2.0/24 state RELATED,ESTABLISHED
2 ETH01 ETH00 ACCEPT all opt -- in ETH01 out ETH00 192.168.2.0/24 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

If instead your main network is the 192.168.1.0/24, and you want manage ZS from this network, and you also want allow web access from ETH01 while denying access to the network 192.168.1.0/24
input chain (default policy DROP)

1 	ETH00 	* 	ACCEPT all opt -- in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
2 ETH01 * ACCEPT all opt -- in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

forward chain (default policy DROP)

1 	ETH00 	ETH01 	ACCEPT all opt -- in ETH00 out ETH01 0.0.0.0/0 -> 192.168.2.0/24 state NEW,RELATED,ESTABLISHED
2 ETH01 ETH00 DROP all opt -- in ETH01 out ETH00 0.0.0.0/0 -> 192.168.1.0/24
2 ETH01 ETH00 ACCEPT all opt -- in ETH01 out ETH00 192.168.2.0/24 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

You may want to declare the management interface, this can be done on Setup, Web and SSH.
Remember to declare one or more DNS server in DNS, Forwarders, and in the dhcp-pool also declare the ZS as dns server (the same ip address as the def.gw)

Obviously, this is only a sample, but you can do everything you want with iptables…
Compliments for your network description !
Regards